SonarSource/sonarqube-scan-action
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SQSCANGHA-113 Migrate scanner run step

Browse Source
This commit is contained in:
Jeremy Davis
2025-09-10 11:28:29 +02:00
committed by Julien HENRY
parent ed9f3aad50
commit 16df975da5
9 changed files with 448 additions and 137 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
src/index.js
View File

@@ -2,6 +2,7 @@ import * as core from "@actions/core";
import * as tc from "@actions/tool-cache";
import * as os from "os";
import * as path from "path";
import { runSonarScanner } from "./run-sonar-scanner";
import {
checkGradleProject,
checkMavenProject,
@@ -16,18 +17,31 @@ import {
const TOOLNAME = "sonar-scanner-cli";
/**
* Inputs are defined in action.yml
*/
function getInputs() {
//FIXME: should not rely on ENV vars
const scannerVersion = process.env.INPUT_SCANNERVERSION; // core.getInput("scannerVersion");
const projectBaseDir = process.env.INPUT_PROJECTBASEDIR; // core.getInput("projectBaseDir") || ".";
const scannerBinariesUrl = process.env.INPUT_SCANNERBINARIESURL; // core.getInput("scannerBinariesUrl");
const args = core.getInput("args");
const projectBaseDir = core.getInput("projectBaseDir");
const scannerBinariesUrl = core.getInput("scannerBinariesUrl");
const scannerVersion = core.getInput("scannerVersion");
return { scannerVersion, projectBaseDir, scannerBinariesUrl };
return { args, projectBaseDir, scannerBinariesUrl, scannerVersion };
}
function getRunnerEnv() {
return {
RUNNER_OS: process.env.RUNNER_OS,
SONARCLOUD_URL: process.env.SONARCLOUD_URL,
RUNNER_DEBUG: process.env.RUNNER_DEBUG,
SONAR_ROOT_CERT: process.env.SONAR_ROOT_CERT,
RUNNER_TEMP: process.env.RUNNER_TEMP,
};
}
function runSanityChecks(inputs) {
try {
const { scannerVersion, projectBaseDir } = inputs;
const { projectBaseDir, scannerVersion } = inputs;
validateScannerVersion(scannerVersion);
checkSonarToken(core);
@@ -39,7 +53,7 @@ function runSanityChecks(inputs) {
}
}
async function installSonarScannerCLI(scannerVersion, scannerBinariesUrl) {
async function installSonarScannerCLI({ scannerVersion, scannerBinariesUrl }) {
const flavor = getPlatformFlavor(os.platform(), os.arch());
// Check if tool is already cached
@@ -83,14 +97,21 @@ async function installSonarScannerCLI(scannerVersion, scannerBinariesUrl) {
async function run() {
try {
const inputs = getInputs();
const { scannerVersion, scannerBinariesUrl } = inputs;
const { args, projectBaseDir, scannerVersion, scannerBinariesUrl } =
getInputs();
// Run sanity checks first
runSanityChecks(inputs);
runSanityChecks({ projectBaseDir, scannerVersion });
// Install Sonar Scanner CLI using @actions/tool-cache
await installSonarScannerCLI(scannerVersion, scannerBinariesUrl);
const scannerDir = await installSonarScannerCLI({
scannerVersion,
scannerBinariesUrl,
});
// Run the sonar scanner
const runnerEnv = getRunnerEnv();
await runSonarScanner(args, projectBaseDir, scannerDir, runnerEnv);
} catch (error) {
core.setFailed(`Action failed: ${error.message}`);
process.exit(1);

140
src/run-sonar-scanner.js Normal file
View File

@@ -0,0 +1,140 @@
import * as exec from "@actions/exec";
import * as fs from "fs";
import * as os from "os";
import * as path from "path";
import { parseArgsStringToArgv } from "string-argv";
export async function runSonarScanner(
inputArgs,
projectBaseDir,
scannerDir,
runnerEnv = {}
) {
const {
RUNNER_DEBUG,
RUNNER_OS,
RUNNER_TEMP,
SONAR_ROOT_CERT,
SONARCLOUD_URL,
} = runnerEnv;
const scannerBin =
RUNNER_OS === "Windows" ? "sonar-scanner.bat" : "sonar-scanner";
const scannerArgs = [];
if (SONARCLOUD_URL) {
scannerArgs.push(`-Dsonar.scanner.sonarcloudUrl=${SONARCLOUD_URL}`);
}
if (RUNNER_DEBUG === "1") {
scannerArgs.push("--debug");
}
if (projectBaseDir) {
scannerArgs.push(`-Dsonar.projectBaseDir=${projectBaseDir}`);
}
// The SSL folder may exist on an uncleaned self-hosted runner
const sslFolder = path.join(os.homedir(), ".sonar", "ssl");
/**
* Use keytool for now, as SonarQube 10.6 and below doesn't support openssl generated keystores
* keytool requires a password > 6 characters, so we won't use the default password 'sonar'
*/
const keytoolMainClass = "sun.security.tools.keytool.Main";
const truststoreFile = path.join(sslFolder, "truststore.p12");
const truststorePassword = "changeit";
if (fs.existsSync(truststoreFile)) {
let aliasSonarIsPresent = true;
try {
await exec.exec(
`${scannerDir}/jre/bin/java`,
[
keytoolMainClass,
"-storetype",
"PKCS12",
"-keystore",
truststoreFile,
"-storepass",
truststorePassword,
"-noprompt",
"-trustcacerts",
"-list",
"-v",
"-alias",
"sonar",
],
{ silent: true }
);
} catch (_) {
aliasSonarIsPresent = false;
console.log(
`Existing Scanner truststore ${truststoreFile} does not contain 'sonar' alias`
);
}
if (aliasSonarIsPresent) {
console.log(
`Removing 'sonar' alias from already existing Scanner truststore: ${truststoreFile}`
);
await exec.exec(`${scannerDir}/jre/bin/java`, [
keytoolMainClass,
"-storetype",
"PKCS12",
"-keystore",
truststoreFile,
"-storepass",
truststorePassword,
"-noprompt",
"-trustcacerts",
"-delete",
"-alias",
"sonar",
]);
}
}
if (SONAR_ROOT_CERT) {
console.log("Adding SSL certificate to the Scanner truststore");
const tempCertPath = path.join(RUNNER_TEMP, "tmpcert.pem");
try {
fs.unlinkSync(tempCertPath);
} catch (_) {
// File doesn't exist, ignore
}
fs.writeFileSync(tempCertPath, SONAR_ROOT_CERT);
fs.mkdirSync(sslFolder, { recursive: true });
await exec.exec(`${scannerDir}/jre/bin/java`, [
keytoolMainClass,
"-storetype",
"PKCS12",
"-keystore",
truststoreFile,
"-storepass",
truststorePassword,
"-noprompt",
"-trustcacerts",
"-importcert",
"-alias",
"sonar",
"-file",
tempCertPath,
]);
scannerArgs.push(
`-Dsonar.scanner.truststorePassword=${truststorePassword}`
);
}
if (inputArgs) {
const args = parseArgsStringToArgv(inputArgs);
scannerArgs.push(...args);
}
await exec.exec(scannerBin, scannerArgs);
}